Join G Mark Hardy in this eye-opening episode of CISO Tradecraft as he shares a personal story about his dog Shelby's near-fatal experience and the costly lesson it taught him about technical debt. Discover how small overlooked issues in cybersecurity can compound and lead to significant risks and learn actionable steps to tackle technical debt before it turns into a crisis.

Pictures of Dog https://drive.google.com/file/d/1nBc9e3bBJVW0BQt5inGryhP3ahBz4XsQ/view?usp=drive_link https://drive.google.com/file/d/12V_DuwhgNBKgxJL0yqNq9Fopa4dauJfd/view?usp=drive_link

Transcripts https://docs.google.com/document/d/1-_X_9RQrurOLKRvbXyMjgbygESsabcCK

Chapters

• 00:21 Welcome to CISO Tradecraft
• 00:36 RSAC 2025 Conference Experience
• 01:22 Shelby's Health Scare
• 02:08 Understanding Technical Debt
• 02:41 The Consequences of Technical Debt
• 04:09 Shelby's Story as a Technical Debt Analogy
• 09:28 Lessons Learned from Shelby's Story
• 13:09 Conclusion and Call to Action

In this episode of CISO Tradecraft, host G Mark Hardy and guest Sounil Yu delve into the dual-edged sword of implementing Microsoft 365 Copilot in enterprises. While this productivity tool has transformative potential, it introduces significant oversharing risks that can be mitigated with the right strategies. Discover how Sounil and his team at Knostic have been tackling these challenges for over a year, presenting innovative solutions to ensure both productivity and security. They discuss the importance of 'need to know' principles and knowledge segmentation, providing insight into how organizations can harness the power of Microsoft 365 Copilot safely and effectively. Tune in to learn how to avoid becoming the 'department of no' and start being the 'department of know.'

Transcripts https://docs.google.com/document/d/1CT9HXdDmKojuXzWTbNYUE4Kgp_D64GyB

Knostic's Website - https://www.knostic.ai/solution-brief-request

Chapters

• 00:00 Introduction to Microsoft Copilot Risks
• 00:32 Meet the Guest: Sounil Yu
• 02:51 Understanding Microsoft 365 Copilot
• 06:09 The DIKW Pyramid and Knowledge Management
• 08:34 Challenges of Data Permissions and Oversharing
• 19:01 Need to Know: A New Approach to Access Control
• 35:10 Measuring and Mitigating Risks with Copilot
• 39:46 Conclusion and Next Steps

In this episode of CISO Tradecraft, host G Mark Hardy delves into the crucial topic of Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Learn about the history, structure, and significance of the CVE database, the recent funding crisis, and what it means for the future of cybersecurity. We also explore the intricacies of CVE scoring and how it aids in prioritizing vulnerabilities. Tune in to understand how as a CISO, you can better prepare your organization against cyber threats and manage vulnerabilities efficiently.

Transcripts: https://docs.google.com/document/d/13VzyzG5uUVLGVhPA5Ws0UFbHPnfHbsII

Chapters

• 00:00 Introduction to CVE and CVSS
• 01:13 History of Vulnerability Tracking
• 03:07 The CVE System Explained
• 06:47 Understanding CVSS Scoring
• 13:11 Recent Funding Crisis and Its Impact
• 15:53 Future of the CVE Program
• 18:27 Conclusion and Final Thoughts

Join host G Mark Hardy on CISO Tradecraft as he welcomes expert Scott Gicking to discuss the Center for Internet Security's (CIS) Controls Self-Assessment Tool (CSAT). Learn what CSAT is, how to effectively use it, and how it can enhance your career in cybersecurity. Stay tuned for insights on creating effective security frameworks, measuring maturity, and improving organizational security posture using the CSAT tool.

Scott Gicking - https://www.linkedin.com/in/scottgickingus/

CIS CSAT - https://www.cisecurity.org/controls/cis-controls-self-assessment-tool-cis-csat

Transcripts: https://docs.google.com/document/d/1WAI9U0WEUSJH1ZVWM1HdtFEf-O9hLJBe

Chapters

• 01:16 Guest Introduction: Scott Gicking
• 02:49 Scott's Career Journey
• 04:03 The Hollywood Cybersecurity Incident
• 07:38 Introduction to CIS and Its Importance
• 09:49 Understanding the CIS CSAT Tool
• 10:13 Implementing CIS CSAT in a Real-World Scenario
• 13:00 Benefits of the CIS CSAT Tool
• 18:38 Developing a Three-Year Roadmap with CSAT
• 23:25 Scoring Policies and Controls
• 24:20 Control Implementation and Automation
• 25:22 CMMC Certification Levels
• 27:52 Honest Self-Assessment
• 30:01 Quick and Dirty Assessment Approach
• 33:07 Building Trust and Reporting
• 37:38 Business Impact Analysis Tool
• 40:02 Reputational Damage and CISO Challenges
• 42:55 Final Thoughts and Contact Information

Ever wonder how the CISO role went from obscure techie to boardroom MVP? In this episode of CISO Tradecraft, G Mark Hardy takes you on a journey through the evolution of the Chief Information Security Officer — from Steve Katz's groundbreaking appointment at Citibank in 1995 to the high-stakes, high-impact role CISOs play today.

Transcripts: https://docs.google.com/document/d/1FlKBW6zlVBqLoSTQMGZIfz--ZLD_aS9t/edit

Chapters

• 00:00 Introduction to the Evolution of the CISO Role
• 00:58 The First CISO: Steve Katz's Pioneering Journey
• 03:58 Rise of Security Certifications
• 08:39 Regulatory Wake-Up Calls and Compliance
• 12:23 Cybersecurity in the Age of State-Sponsored Attacks
• 17:58 The Impact of Major Cyber Incidents
• 25:07 Modern Challenges and the Future of the CISO Role
• 27:51 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, we host Chris Hughes, CEO of Aquia, cybersecurity consultant, and author. Chris shares insights on the evolving landscape of cybersecurity, discussing software supply chain threats, vulnerability management, relationships between security and development, and the future impacts of AI. Tune in to gain expert advice on becoming an effective cybersecurity leader.

Chris Hughes - https://www.linkedin.com/in/resilientcyber/

Transcripts: https://docs.google.com/document/d/1j5ernS0Gk3LH-qcjhi6gOfojBqQljGhi

Chapters

• 00:00 Introduction and Special Guest Announcement
• 00:55 Chris Hughes' Background and Career Journey
• 02:46 Government and Industry Engagement
• 03:42 Supply Chain Security Challenges
• 07:34 Vulnerability Management Insights
• 12:13 Navigating the Overwhelming Vulnerability Landscape
• 22:19 Building Positive Relationships in Cybersecurity
• 23:41 Empowering Risk-Informed Decisions
• 24:29 Aligning with Organizational Risk Appetite
• 25:33 Navigating Job Changes and Organizational Fit
• 26:32 The Role of Compliance in Security
• 33:27 The Impact of AI on Security
• 43:05 Balancing Build vs. Buy Decisions
• 45:05 Conclusion and Final Thoughts

In this episode of CSO Tradecraft, host G. Mark Hardy introduces 'The Full Irish,' a cybersecurity framework based on the '12 Steps to Cybersecurity' guidance from Ireland's National Cybersecurity Center. The episode covers comprehensive steps from governance and risk management to incident response and resilience, making it a valuable resource for cybersecurity professionals. G Mark also discusses the implications of multinational companies operating in Ireland, including tax strategies and notable GDPR fines. The episode provides pragmatic guidance and actionable insights to enhance your cybersecurity program.

References: https://www.ncsc.gov.ie/pdfs/Cybersecurity_12_steps.pdf

Transcripts: https://docs.google.com/document/d/1VLeRozClLZAkZsusYsUn4Q9_1v7WCoN0

Chapters

• 00:00 Introduction to the Full Irish
• 01:32 Why Ireland?
• 02:40 Tax Avoidance Schemes
• 04:25 GDPR Penalties and Data Protection
• 05:54 Overview of the 12 Steps to Cybersecurity
• 07:19 Step 1: Governance and Organization
• 09:24 Step 2: Identify What Matters Most
• 10:31 Step 3: Understanding the Threats
• 12:35 Step 4: Defining Risk Appetite
• 14:10 Step 5: Education and Awareness
• 16:00 Step 6: Implement Basic Protections
• 18:00 Step 7: Detect and Attack
• 19:37 Step 8: Be Prepared to React
• 21:24 Step 9: Risk-Based Approach to Resilience
• 22:52 Step 10: Automated Protections
• 23:58 Step 11: Challenge and Test Regularly
• 25:29 Step 12: Cyber Risk Management Lifecycle
• 26:29 Conclusion and Final Thoughts

In this episode of CISO Tradecraft, host G. Mark Hardy dives into the evolution, challenges, and solutions of Data Loss Prevention (DLP). From early methods like 'dirty word lists' in the military to advanced AI and machine learning models of today, discover how DLP technologies have developed to safeguard sensitive information. Learn about different DLP phases, regulatory impacts, and modern tools like Microsoft Purview that can help manage and classify data effectively. This episode is packed with valuable insights to help you tackle data security with confidence and efficiency.

Transcripts

• https://docs.google.com/document/d/1u7owNI5P3WajJvRPIXbzrUYy-PCsRcfC

References

• Crash course in Microsoft Purview: A guide to securing and managing your data estate

Chapters

• 00:00 Introduction to Data Loss Prevention (DLP)
• 00:45 Early Days of DLP: Dirty Word Lists and Simple Networks
• 02:39 Evolution of DLP: Content Filtering and Endpoint Protection
• 06:05 Advanced Content Inspection and Policy Enforcement
• 09:19 Unified DLP and Cloud Adoption
• 16:04 Modern DLP: AI, Machine Learning, and Zero Trust
• 19:12 Implementing DLP with Microsoft Purview
• 28:59 Summary and Final Thoughts